Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [media] usbvision fix overflow of interfaces array

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usbvision-fix-overflow-of-interfaces-array.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 09:51:34 -0200
Subject: [media] usbvision fix overflow of interfaces array

From: Oliver Neukum <oneukum@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Moritz Muehlenhoff <moritz@wikimedia.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
 	printk(KERN_INFO "%s: %s found\n", __func__,
 				usbvision_device_data[model].model_string);
 
+	/*
+	 * this is a security check.
+	 * an exploit using an incorrect bInterfaceNumber is known
+	 */
+	if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+		return -ENODEV;
+
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
 	else if (ifnum < dev->actconfig->desc.bNumInterfaces)


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch

Re: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[Vladis Dronov]

>> If you, or anyone else, feels it should not be added to the stable tree,
>> please let <stable@vger.kernel.org> know about it.

please, do not add 588afcc1. reasons: see upstream commit:

commit d5468d7afaa9c9e961e150f0455a14a9f4872a98
[media] usbvision: revert commit 588afcc1

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer


----- Original Message -----
From: gregkh@linuxfoundation.org
To: oneukum@suse.com, gregkh@linuxfoundation.org, "hans verkuil" <hans.verkuil@cisco.com>, mchehab@osg.samsung.com, moritz@wikimedia.org, vdronov@redhat.com
Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org
Sent: Saturday, June 4, 2016 9:43:20 PM
Subject: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

This is a note to let you know that I've just added the patch titled

    [media] usbvision fix overflow of interfaces array

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usbvision-fix-overflow-of-interfaces-array.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.

>From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 09:51:34 -0200
Subject: [media] usbvision fix overflow of interfaces array

From: Oliver Neukum <oneukum@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Moritz Muehlenhoff <moritz@wikimedia.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
 	printk(KERN_INFO "%s: %s found\n", __func__,
 				usbvision_device_data[model].model_string);
 
+	/*
+	 * this is a security check.
+	 * an exploit using an incorrect bInterfaceNumber is known
+	 */
+	if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+		return -ENODEV;
+
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
 	else if (ifnum < dev->actconfig->desc.bNumInterfaces)


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch

Re: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[Greg KH]

On Mon, Jun 06, 2016 at 05:47:52AM -0400, Vladis Dronov wrote:
> >> If you, or anyone else, feels it should not be added to the stable tree,
> >> please let <stable@vger.kernel.org> know about it.
> 
> please, do not add 588afcc1. reasons: see upstream commit:
> 
> commit d5468d7afaa9c9e961e150f0455a14a9f4872a98
> [media] usbvision: revert commit 588afcc1

Thanks for the info, I knew there was some reason I had dropped this
before.

Moritz, please tell Debian to also drop it so that I don't make this
mistake for the 3rd time sometime in the future...

thanks,

greg k-h

Re: Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[Moritz Muehlenhoff]

On Tue, Jun 07, 2016 at 05:25:32PM -0700, Greg KH wrote:
> On Mon, Jun 06, 2016 at 05:47:52AM -0400, Vladis Dronov wrote:
> > >> If you, or anyone else, feels it should not be added to the stable tree,
> > >> please let <stable@vger.kernel.org> know about it.
> > 
> > please, do not add 588afcc1. reasons: see upstream commit:
> > 
> > commit d5468d7afaa9c9e961e150f0455a14a9f4872a98
> > [media] usbvision: revert commit 588afcc1
> 
> Thanks for the info, I knew there was some reason I had dropped this
> before.
> 
> Moritz, please tell Debian to also drop it so that I don't make this
> mistake for the 3rd time sometime in the future...

Sorry for the confusion! I've updated the Debian kernel security tracker
to drop the wrong commit reference.

The kernel in Debian unstable is using 4.6.1 now, so it no longer carries
backported patches for this bug.

Cheers,
        Moritz

Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [media] usbvision fix overflow of interfaces array

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usbvision-fix-overflow-of-interfaces-array.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 09:51:34 -0200
Subject: [media] usbvision fix overflow of interfaces array

From: Oliver Neukum <oneukum@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
 	printk(KERN_INFO "%s: %s found\n", __func__,
 				usbvision_device_data[model].model_string);
 
+	/*
+	 * this is a security check.
+	 * an exploit using an incorrect bInterfaceNumber is known
+	 */
+	if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+		return -ENODEV;
+
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
 	else if (ifnum < dev->actconfig->desc.bNumInterfaces)


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.4/lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
queue-4.4/cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch
queue-4.4/r8152-fix-the-wake-event.patch
queue-4.4/sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch
queue-4.4/r8152-adjust-aldps-function.patch
queue-4.4/smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch
queue-4.4/r8152-use-test_and_clear_bit.patch
queue-4.4/usb-musb-ux500-fix-null-pointer-dereference-at-system-pm.patch

Patch "[media] usbvision fix overflow of interfaces array" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [media] usbvision fix overflow of interfaces array

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     usbvision-fix-overflow-of-interfaces-array.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 09:51:34 -0200
Subject: [media] usbvision fix overflow of interfaces array

From: Oliver Neukum <oneukum@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/usbvision/usbvision-video.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
 	printk(KERN_INFO "%s: %s found\n", __func__,
 				usbvision_device_data[model].model_string);
 
+	/*
+	 * this is a security check.
+	 * an exploit using an incorrect bInterfaceNumber is known
+	 */
+	if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+		return -ENODEV;
+
 	if (usbvision_device_data[model].interface >= 0)
 		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
 	else


Patches currently in stable-queue which might be from oneukum@suse.com are

queue-4.4/cdc-acm-fix-null-pointer-reference.patch
queue-4.4/usbvision-fix-overflow-of-interfaces-array.patch
queue-4.4/usbnet-cleanup-after-bind-in-probe.patch